acme: going to be a tad mroe selective

applications/acme.nix

@@ -1,29 +1,45 @@
-{ config, ... }:{
+{ pkgs, lib, ... }:
-  # group that will own the certificates
+  with lib;
-  users.groups.acme = {};
+  let
+    cfg = config.services.skynet_acme;
+  in {
 
-  age.secrets.acme.file = ../secrets/dns_certs.secret.age;
+  imports = [];
 
-  security.acme = {
+  options.services.skynet_acme = {
-    preliminarySelfsigned = false;
+    enable = mkEnableOption "Skynet Lets Encrypt certs";
-    acceptTerms = true;
 
-    defaults = {
+    domains = lib.mkOption {
-      email = "admin_acme@skynet.ie";
+      default = [ ];
-      # we use our own dns authorative server for verifying we own the domain.
+      type = lib.types.listOf lib.types.str;
-      dnsProvider = "rfc2136";
+      description = ''
-      credentialsFile = config.age.secrets.acme.path;
+        A list of domains to use for this server.
+      '';
     };
+  };
 
-    certs = {
+  config = {
-      "skynet" = {
+    # group that will own the certificates
-        domain = "skynet.ie";
+    users.groups.acme = {};
-        extraDomainNames = [
+
-          "*.skynet.ie"
+    age.secrets.acme.file = ../secrets/dns_certs.secret.age;
-          "*.minecraft.games.skynet.ie"
+
-          "*.pages.skynet.ie"
+    security.acme = {
-          "api.account.skynet.ie"
+      preliminarySelfsigned = false;
-        ];
+      acceptTerms = true;
+
+      defaults = {
+        email = "admin_acme@skynet.ie";
+        # we use our own dns authorative server for verifying we own the domain.
+        dnsProvider = "rfc2136";
+        credentialsFile = config.age.secrets.acme.path;
+      };
+
+      certs = {
+        "skynet" = {
+          domain = "skynet.ie";
+          extraDomainNames = cfg.domains;
+        };
       };
     };
   };